Aug 26 ’08

Taking the Secure Migration Path to IT Virtualization

by Editor in z/Journal

Virtually every new technology that has significantly enhanced enterprise IT has been adopted in phases. Early IT adopters are quick to capitalize, with some reaping the advantages of a first mover position. Further into this phased approach is the mainstream, and those in this category take their time and wait for bugs to be worked out, prices to drop, and risks to be all but eliminated. IT managers at the back-end of this curve are inevitably playing catch-up.

Somewhere in the middle of the adoption cycle is a tipping point—the critical point in an evolving situation that leads to a new, irreversible environmental change. The time it takes to reach that point will vary—sometimes months; other times years. But when it happens, it’s significant and noticeable.

Such appears to be the case with IT virtualization, which Wikipedia refers to as the abstraction of computer resources. Virtualization hides the physical characteristics of computing resources from their users. This includes making a single physical resource, such as a server, operating system, application, or storage device, appear to function as multiple virtual resources. It also can include making multiple physical resources, such as storage devices or servers, appear as a single virtual resource.

This isn’t a new concept. IT practitioners have been mapping out plans and strategies that could be described as virtualization for years. Today, virtualization is at, or fast approaching, its tipping point. Just about every major system and application vendors’ Website includes discussion of their virtualization solutions. One can hardly pick up an IT magazine or read a blog without seeing some discussion of the benefits and challenges of desktop, server, and data center virtualization.

In assessing virtualization, as with any new technology, prudent IT managers won’t jump head first into projects without doing some careful planning. This is particularly important when it comes to IT security. Too often, IT security is treated as an afterthought to deployment of virtualization technology. That can have serious consequences.

Data security should be at the forefront of any new enterprise IT virtualization initiative. IT managers must ensure they’ve explored every avenue and that their current security measures are strong and flexible enough to adjust to dramatic changes in the way users interact with critical data. They must implement a data security solution and associated policies that will protect their corporate assets in a virtualized computing environment.

The Virtual Era

As enterprises focus on reducing IT expenses without compromising IT capabilities, they’re realizing the benefits of transitioning to virtual computing environments. Here are a few strong arguments for making this shift:

• Lower overall IT costs: Cost efficiency has always been an IT priority, but doing more with less is becoming standard operating procedure as more companies face difficult global economic realities. So IT managers are exploring virtualization to help lower IT costs. Desktop virtualization lets organizations get more out of existing hardware, no mater where it’s located, and helps businesses easily manage multiple laptops or PCs.

• Reduced energy use: Energy conservation is a well-publicized issue these days and it affects businesses as much as individuals. By incorporating virtualization technologies and replacing power-hungry PCs and servers with energy-efficient thin clients and virtual servers, enterprises can increase output while simultaneously decreasing energy consumption.

• Improved flexibility and remote access: As the mobile workforce grows, more employees are remotely accessing information from the data center. By adopting virtual environments, IT managers can monitor and maintain only a few central data locations as opposed to dozens, helping them efficiently manage multi-user access and ensure better security.

• Simplified computing model: Instead of increasing the infrastructure’s capacity by adding workstations, servers or memory capacity, IT managers can configure a flexible, centralized environment through virtualization. Consolidating servers ultimately enables an organization to significantly simplify administrative tasks and costs and align its business goals with its IT processes.

Aligning Security and Virtualization Requirements

While virtualization can be broadly beneficial, IT security must remain a priority. Since the mainframe has traditionally been the keeper of the most sensitive corporate data assets, and because it continues to play a pivotal role in enterprise computing today, it’s essential for the enterprises transitioning to a virtual environment to protect and sustain mainframe-resident financial, operational, and customer data.

It’s challenging to align business requirements, IT virtualization, and IT security. Using industry approved security protocols will alleviate some technical pains and help IT managers quickly accomplish business goals. To ensure a seamless transition to virtual environments, IT managers must remember these security commandments:

• End-to-end communications security: It’s just as important to encrypt data in transit in a virtual environment as it is in a “traditional” environment. Securing files and data transmissions from the server to all workstations, and from the workstations back to the server, provides significantly better security for all enterprise data.

• User authentication: With increased remote access to enterprise information held in the data center, it’s critical to ensure this data remains where it belongs and that only appropriate users can easily access it. When organizations implement desktop virtualization, they must take the proper steps to authenticate the host and client machines, in addition to authenticating the user through ID, password, or other means. This will prevent access from non-secure locations and make it more difficult for unauthorized users to take advantage of stolen IDs and passwords. It also enables easier tracking if an unauthorized entry occurs.

• Logging capabilities: Most mainframe systems and applications have extensive logging features. However, if an existing mainframe system lacks logging capabilities, it’s imperative for the IT manager to obtain this before transitioning into a virtual computing system. It’s essential to meticulously record information regarding who accessed data and when. By acquiring adequate logging procedures or modifying existing applications, IT managers can ensure data is correctly maintained and organized on the mainframe if an audit should occur.

• Central management: Since many administrative tasks, such as provisioning, auditing and maintenance, can be mundane and time-consuming, setting up automated capabilities will relieve IT managers of the overwhelming burden that comes with trying to manually handle these tasks. Incorporating technologies that let IT managers establish and maintain an enterprisewide security solution from one central location will simplify their tasks and help them identify security violations faster. In addition, centralized management provides scalability for large networks, reduces ongoing operating costs, and facilitates regulatory compliance.

• Continued compliancy: Organizations making the transition to a virtual environment must still comply with government regulations pertaining to data security. Existing and emerging privacy, security, auditing, and risk management regulations and standards, such as the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and the Federal Information Security Management Act (FISMA), are designed to help enterprises protect their data from more frequent, highly developed security threats or attacks, no matter what type of computing environment or platform they use.

Look Before Leaping

For efficiency-minded organizations, IT virtualization is an increasingly viable solution. It can deliver dramatic improvements, including a simplified computing model, reduced energy consumption, increased flexibility, and lower IT costs. However, migrating to a virtualized data center can be a complicated, time-consuming process, particularly for heterogeneous enterprise IT environments with mainframe and client/server systems running scores of complex applications. The virtualized environment, like other system architectures, faces a host of new security threats. Before pursuing virtualization, every enterprise must take time to outline a parallel data security migration path.

The last thing any IT manager can afford is to be caught off-guard. During the transition to a virtualized computing environment, they should carefully weigh the benefits and impending security threats before committing to IT virtualization. Without ensuring that company, client and customer data will be secured at all times in their new virtualized IT model, enterprises are setting themselves up for a potentially catastrophic breach.